Arista Portal

  • Tag : security

 
 

Group-based Multi-domain Segmentation Services (MSS-Group)

Posted on March 9, 2021 by   |   90 Views

Description The Segment security feature provides the convenience of applying policies on segments rather than interfaces or subnets. Hosts/networks are classified into segments based on prefixes. Grouping prefixes into segments allows for definition of policies between segments that govern flow of traffic between them. Policies define inter-segment or intra-segment communication rules, e.g. segment A can communicate with segment B but hosts in segment B can not communicate with each other. By default traffic destined to a given segment is dropped and explicit allow policies are required to allow communication. Policy configurations in this feature are unidirectional. To allow or drop...
Continue reading →

Port security protect mode enhancements

Posted on September 15, 2020 by   |   178 Views

Description This TOI describes a set of enhancements made to the existing Port Security: Protect Mode feature. Please see the existing TOI for this feature here: https://eos.arista.com/eos-4-24-0f/port-security-protect-mode/ Unless otherwise noted, all information contained in the original Protect Mode TOI continues to apply. The persistent port security feature also continues to be supported, and is described by the following TOI: https://eos.arista.com/eos-4-18-1f/port-security-preserve-macs-on-link-flapreload/ The primary enhancement is extending the limits placed by port security: protect mode to apply to MAC addresses learned in the hardware MAC table. Previously, the port security limit would affect only the forwarding behavior, while allowing an unlimited number...
Continue reading →

Dynamic CLI Access VLAN

Posted on August 21, 2020 by   |   95 Views

Description Dynamic CLI Access VLAN is a command that sets the effective access VLAN in a port without changing the running configuration. The use case is to provide a means for a network management system to quarantine a port in a special VLAN where the device can update its anti-virus (for instance) before exposing the device to the rest of the network. Configuration The following command in the interface configuration node sets the dynamic CLI access VLAN: (config-if-et1)# switchport access vlan dynamic <VLANID> It’s worth emphasizing that even though this is issued in the interface configuration node, it doesn’t show...
Continue reading →

Support for SWI extension (SWIX) verification

Posted on June 8, 2020 by   |   181 Views

Description EOS provides a way to extend its capabilities through the installation of extensions. An extension is a pre-packaged optional feature or a set of scripts, typically in an RPM Package Manager (RPM) or Software image extension (SWIX) format. A SWIX file is a zip file typically containing RPMs, scripts, or other installation mediums that can be installed to alter the base behavior of EOS. SWIX Verification allows for SWIX files to be cryptographically signed with a signature that will be verified by EOS before the extension is installed. This verification process provides the following security benefits: Shows that the...
Continue reading →

Standalone BGP Origin Validation with RPKI

Posted on April 16, 2020 by   |   2380 Views

The Border Gateway Protocol (BGP) is the primary routing protocol used between the tens of thousands of different networks that make up the global Internet. Unfortunately, the original conception of BGP presumed a fundamental level of trust between all of the participating networks, which has repeatedly permitted both major and minor outages across the Internet due to networks accepting incorrect routing information. Either deliberately or accidentally, networks are able to advertise more specific prefix routing information for address space controlled by other networks to their peers over BGP, which causes that traffic to flow through their network instead of to...
Continue reading →

Configurations and Optimizations for Internet Edge Routing

Posted on April 14, 2020 by   |   2767 Views

Introduction For many years, network deployments for enterprise Internet edge environments have consisted of dedicated routing platforms and a switching or aggregation layer to distribute this to various network zones.  With the advances in merchant silicon forwarding engines and the software expertise put into Arista’s Extensible Operating System (EOS), we can now fully replace this legacy architecture with a collapsed routing and switching layer using Arista R Series platforms.  Arista R Series platforms allow for holding a full copy of the Internet routing table for both IPv4 and IPv6 in hardware (the Forwarding Information Base, or FIB) with plenty of...
Continue reading →

Configuring Traffic Flows using sFlow in CVP (Cloudvision Portal) 2019.1.x

Posted on March 20, 2020 by   |   937 Views

Introduction Many users rely on 3rd party flow tools to enable greater visibility into the network and generate alerts when irregular flows have been detected.  However, with the growing number of tools being used to provide this visibility, each with their own strengths, the user may experience tool sprawl.   In order to ease the number of tools required within an environment and move towards the goal of a “Single Pane of Glass” to manage our networks, Cloudvision Portal 2019.1.x provides a built-in IPFIX/sFlow collector that will show the top flows within a network.  Once these flows are collected, they can...
Continue reading →

Securing Inter Domain Routing with RPKI

Posted on November 24, 2019 by   |   3216 Views

Problem definition The debate over challenges and solutions for Secure Interdomain Traffic Exchange is hot as ever these days. The obstacle lies in the fundamental principle of BGP – mutual trust between network operators. Unfortunately, though this principle has led to a number of incidents in the industry, to the public eye only the tip of the iceberg is visible. The results of these incidents are traffic redirection, eavesdropping, DoS attacks and black-holing, to name a few. While incidents number in thousands, the underlying issues are only a few, and vary between accidental route leak through intentional prefix hijack and...
Continue reading →

GTSM for BGP

Posted on June 10, 2019 by   |   128 Views

Description This feature involves the use of packet’s Time to Live (TTL) (IPv4) or Hop Limit (IPv6) attributes to protect BGP peering sessions (both iBgp and eBgp) from an attacker on the network segment causing denial of service using forged IP packets by spoofing the BGP peer’s IP address. The solution is described by the RFC 3682 (Generalized TTL Security Mechanism). The user can configure a minimum TTL for incoming IP packets received from the BGP peer. BGP session will only get established if the TTL value in the received IP packet header is greater than or equal to the...
Continue reading →

BGP Peering – Configuration Best Practices – Security and Manageability

Posted on November 27, 2018 by   |   2900 Views

      BGP Peering – Configuration Best Practices – – – – – – – – – – – – – – – – Security and Manageability       1) Introduction This article provides suggestions of BGP peering configuration, with general best practices and some particular considerations for manageability and security.     2) Arista EOS Security – General   It is recommended to approach security not only specifically for BGP but to englobe other aspects of security for Arista EOS. More global security topics are covered in other articles, listed below. The present article focuses solely on...
Continue reading →

VXLAN: security recommendations

Posted on January 16, 2017 by   |   2302 Views

Abstract This document provides recommendations that are advised to implement in order to increase the security in multitenant network environments built on Arista Networks devices using VXLAN. Introduction One of the crucial qualities of modern cloud network infrastructure is scalability. Scalability can’t be achieved if security of the network operations inside the cloud is compromised. As for example, load scalability is not achievable in environments where the VMs are not able to operate when the network between them is not working properly due to hijacked MAC-addresses. One of the technologies used nowadays to address the challenges with scalability inside the cloud networks...
Continue reading →

GTSM for BGP

Posted on August 25, 2016 by   |   474 Views

Description This feature involves the use of packet’s Time to Live (TTL) (IPv4) or Hop Limit (IPv6) attributes to protect BGP peering sessions (both iBgp and eBgp) from an attacker on the network segment causing denial of service using forged IP packets by spoofing the BGP peer’s IP address. The solution is described by the RFC 3682 (Generalized TTL Security Mechanism). The user can configure a minimum TTL for incoming IP packets received from the BGP peer. BGP session will only get established if the TTL value in the received IP packet header is greater than or equal to the...
Continue reading →

How are people generally separating internal and DMZ networks?

Posted on March 30, 2016 by   |   0 Views

Hi forum, Considering the design elements of a L3LS, the separation of functions into dedicated leaves (such as Services, Compute, Storage, Border), and given Cisco’s VDC and it’s logical separation (or rather, the broadly accepted/ marketed view that secure and less secure networks can be collapsed onto the same physical device) are people doing the same with L3LS deployments with VLANs and VXLAN?  Or are they interconnecting two L3LS ‘instances’ with border leaves with a secure gateway? Cloud datacentres seem to make no distinction between what a customer defines as secure and not secure and generally they seem to suggest...
Continue reading →

Logging – Basic Syslog and Beyond

Posted on February 22, 2016 by   |   876 Views

Overview Logging is often viewed as a basic feature and a common element of all infrastructure devices. But the importance shouldn’t be overlooked. And the related configurations shouldn’t be taken for granted. Whether the purpose is for operations and troubleshooting or to meet compliance requirements, the topic of system logs including how they are configured and where that information is stored should be given more than passing consideration. In this article we’re going to look at basic configuration of Syslog along with some Arista related tips and tricks that will help with operations and compliance. Basic Syslog Beyond operational reasons, logging data is...
Continue reading →

How to Auto-Detect Hotspot SSIDs via Wireless Manager

Posted on December 21, 2015 by   |   276 Views

Introduction There is a high probability of encountering Hotspot SSIDs in an enterprise environment. If a client probes for a well-known Hotspot SSID, it is at risk of connecting to a Hotspot AP, potentially without the user knowing about it. Also, if an enterprise AP broadcasts a Hotspot SSID, such an AP may attract undesirable Clients to connect to it, which may lead to network disruption. This article describes how to Add/Delete Hotspot SSIDs on the Wireless Manager. The system detects the authorized clients in the WLAN that issues “Probe Requests” with the specified hotspot SSIDs and accordingly sends a...
Continue reading →

How to Configure and Assign User Access Roles via RADIUS / NPS

Posted on December 21, 2015 by   |   937 Views

Introduction This article describes how to authenticate users and assign different access roles via RADIUS server (NPS) integration with on-premises Wireless Manager. Prerequisites Administrative access to on-premises Wireless Manager. RADIUS server with Administrator privileges Configured correct shared secret and RADIUS client on the RADIUS server Solution Configure ‘Superuser’ Access Role Log in to NPS with Administrator credentials. Under NPS expand Policies and click Network Policies folder. On the Overview tab, enter the appropriate information. Go to Conditions tab, add Windows Domain Admin group. Go to Constraints tab and enable Authentication Method (PAP) as Wireless Manager communicates with the RADIUS server...
Continue reading →

How to Export Events and Audit Logs to an ArcSight Server

Posted on December 21, 2015 by   |   255 Views

Introduction This article explains the process to add an ArcSight server for the export of Events and Audit logs. Prerequisites Administrative access to Wireless Manager. Information about the ArcSight server destination like IP address and port. Solution This article applies to the on-premises Wireless Manager servers running software version 8.9. If you wish to use Syslog instead, please refer to the Syslog Integration article. Access the configuration by navigating to Configuration → ESM integration → ArcSight Integration The service is enabled by default and you can add a new ArcSight syslog destination by selecting “Add ArcSight Server”. Enter IP address...
Continue reading →

Securing eAPI

Posted on March 30, 2015 by   |   10064 Views

Introduction In this article we will talk about a few tips to secure our eAPI access, for example, HTTPS, changing port, certificate, ACL, on-box, AAA, vrf etc. Turning on/off eAPI First of all, the most secure way is turning off eAPI, which is by default. myswitch#configure myswitch(config)#management api http-commands myswitch(config-mgmt-api-http-cmds)#shutdown To turn eAPI on by “no shutdown”, by default the HTTPS protocol is running and HTTP is turned off for secure purpose, because HTTP send user and password in clear text. HTTP can be used by “protocol http”, however, we recommend using HTTPS. Both HTTP and HTTPS can be used concurrently. myswitch#configure terminal myswitch(config)#management api http-commands...
Continue reading →

« Older posts
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: